LWN Headlines

The 3.8 kernel is out

Linus has released the 3.8 kernel. "The release got delayed a couple of days because I was waiting for confirmation of a small patch, but hey, we could also say that it was all intentional, and that this is the special 'Presidents' Day Release'. It sounds more planned that way, no?" Some of the headline features in this release include metadata integrity checking in the xfs filesystem, the foundation for much improved NUMA scheduling, kernel memory usage accounting and associated usage limits, inline data support for small files in the ext4 filesystem, nearly complete user namespace support, and much more. See the (in-progress) KernelNewbies 3.8 page for lots of details.

SCALE speaker interviews

The Southern California Linux Expo (SCALE) team has posted interviews with the speakers. Interviewees include David Rodriguez, Nathan Betzen, Jonathan Thomas, Jenn Greenaway, Jérôme Petazzoni, Roy Sutton, Dennis Kibbe, Lance Albertson, Philip Ballew, Joe Brockmeier, Deb Nicholson, Thomas Cameron, John Willis, Stuart Sheldon, Robyn Bergeron, Mark Hinkle, Bob Reselman, Christophe Pettus, Brandon Burton, Jorge Castro, Matthew Garrett, and Kyle Rankin. SCALE begins February 22 in Los Angeles, California.

Security advisories for Monday

Debian has updated ffmpeg (multiple vulnerabilities), wireshark (multiple vulnerabilities), lighttpd (multiple vulnerabilities), nginx (CRIME attack), and nss-pam-ldapd (code execution).

Fedora has updated xen (F18; F17: denial of service), mingw-gnutls (F18; F17: plaintext recovery), groundbreaking (F18; 17: cross-site scripting), postgresql (F17: information disclosure/denial of service), kernel (F18: denial of service), openstack-keystone (F18: denial of service), and dnsmasq (F17: access restriction bypass).

Mageia has updated qt4 (multiple vulnerabilities), kdelibs (multiple vulnerabilities), ircd-hybrid (denial of service), java-1.7.0-openjdk (multiple vulnerabilities), and dbus-glib (privilege escalation).

Mandriva has updated postgresql (information disclosure/denial of service).

SUSE has updated firefox (multiple vulnerabilities).

Ubuntu has updated boost1.49 (input validation bypass).

The final comment period for the CC 4.0 license suite

The Creative Commons has announced the posting of the third and final draft of the 4.0 license suite and the beginning of the last comment period. "In this third discussion period, we will be returning our attention to ShareAlike compatibility, the centerpiece of our interoperability agenda. We will take a harder look at the mechanism necessary to permit one-way compatibility out from BY-SA to other similarly spirited licenses like GPLv3, and whether one-way compatibility is, in fact, desired."

Liberated Pixel Cup winning games announced

Liberated Pixel Cup, the free software game-design contest, has finally revealed the winning entries. The overall grand prize went to "Lurking Patrol Comrades," with additional nods going to "Big Island," "Castle Defense," and "Laurelia's Polymorphable Citizens." In addition to the wrap-up, the announcement addressed the potential for more LPC-style contests in the future: "Despite the judging delay, one other sign of success is how excited many of the participants of this year's Liberated Pixel Cup have been to find out if there would be another one. The answer is simply: we aren't sure, but we are certainly interested in it."

Opera moves to WebKit and V8

Opera has announced that it will stop using its own rendering engine and will migrate its browser to WebKit and the V8 JavaScript engine—specifically, the Chromium flavor of WebKit. Opera Mobile will be ported first, with the desktop edition to follow later. The announcement downplays the significance of the change, saying: "Of course, a browser is much more than just a renderer and a JS engine, so this is primarily an "under the hood" change. Consumers will initially notice better site compatibility, especially with mobile-facing sites - many of which have only been tested in WebKit browsers."

Ubuntu for phone to be previewed February 21

Canonical has announced that a preview version of its distribution for phones will be made available on February 21. "The release also marks the start of a new era for Ubuntu, with true convergence between devices. When complete, the same Ubuntu code will deliver a mobile, tablet, desktop or TV experiences depending on the device it is installed on, or where it is docked. Ubuntu 13.10 (due in October) will include a complete entry-level smartphone experience." The initial images will be for Galaxy Nexus and Nexus 4 handsets.

Friday's security updates

Debian has updated openconnect (code execution).

openSUSE has updated blender (privilege escalation), flash-player (multiple vulnerabilities), gnome-online-accounts (information disclosure), inkscape (multiple vulnerabilities), rubygem-rdoc (cross-site scripting).

SUSE has updated flash-player (multiple vulnerabilities).

Ubuntu has updated kernel (10.04 LTS; denial of service), kernel-omap4 (11.10; multiple vulnerabilities), openjdk (multiple vulnerabilities), and qt4-x11 (multiple vulnerabilities).

Bottomley: Owning your Windows 8 UEFI Platform

James Bottomley describes the process of taking control of a UEFI secure boot system. "Even if you only ever plan to run Windows or stock distributions of Linux that already have secure boot support, I’d encourage everybody who has a new UEFI secure boot platform to take ownership of it. The way you do this is by installing your own Platform Key. Once you have done this, you can use key database maintenance tools like keytool to edit all the keys on the Platform and move the platform programmatically from Setup Mode to User Mode and back again. This blog post describes how you go about doing this."

Python trademark at risk in Europe

The Python Software Foundation (PSF) has announced that the trademark on "Python" is at risk in the European Union. A company called Veber has applied for a community trademark on Python "for all software, services, servers... pretty much anything having to do with a computer". The PSF is looking for help in opposing the application: "According to our London counsel, some of the best pieces of evidence we can submit to the European trademark office are official letters from well-known companies 'using PYTHON branded software in various member states of the EU' so that we can 'obtain independent witness statements from them attesting to the trade origin significance of the PYTHON mark in connection with the software and related goods/services.' We also need evidence of use throughout the EU." (Thanks to Ben Boeckel and Sebastian Pipping.)

How The Linux Foundation and Fedora are Addressing Workstation Security (Linux.com)

Over at Linux.com, Linux Foundation (LF) system administrator Konstantin Ryabitsev describes a joint effort by the LF and the Fedora project to support two-factor authentication in Linux. The article describes multi-factor authentication, some of the problems inherent with using hardware tokens, and notes that smartphones can provide much of the same functionality without requiring a dedicated device. "Nearly all of us carry a powerful computer in our pocket that is more than capable of calculating and displaying TOTP [Time-based One-Time Password] tokens. Google recognized this a while back and released a free mobile app called 'Google Authenticator,' available on most mobile platforms. Anyone can set up two-factor authentication for their Google Account using the Authenticator, but the best part is that it's not just limited to Google's services. Since TOTP is an open standard, any infrastructure can use Google Authenticator to provision their own software tokens and implement TOTP-based two-factor authentication for their services."

Stable kernels 3.7.8, 3.4.31, and 3.0.64

Greg Kroah-Hartman has released the 3.7.8, 3.4.31, and 3.0.64 stable kernels. Most of the changes are in the net and drivers/net trees, but there are fixes elsewhere as well. All users of those kernel series should upgrade.

Akademy and Qt Contributor Summit Join Forces

Akademy, the KDE community summit, will be hosting the Qt Contributor Summit during the week of July 13-19 in Bilbao, Spain. "A combined conference makes sense. There are many strong personal ties and working relationships among KDE and Qt contributors. Meeting face-to-face will be productive for both projects. 'As part of both the Qt and KDE communities, I've seen how the two have benefited from each other. In the last year and a half, the pace picked up when many KDE developers started working on Qt and certain features inspired by KDE were proposed and accepted into Qt 5. Akademy and the Qt Contributor Summit co-hosting this year means the two communities will have a much bigger opportunity for cross-pollination of ideas.' Thiago Macieira, Qt Core Maintainer, Software Architect at Open Source Technology Center, Intel Corporation." The core Akademy talks will be on Saturday and Sunday (July 13-14), while the Qt Contributor Summit will be "unconference" style in parallel with the Akademy Birds of a Feather (BoF) sessions on Monday and Tuesday (July 15-16).

Security advisories for Thursday

Debian has updated openssl (plaintext recovery and denial of service) and polarssl (plaintext recovery, distinguishing attack, and denial of service).

Fedora has updated openstack-glance (F18: password leak).

Mageia has updated openssh (M2: denial of service from 2010).

openSUSE has updated inkscape (12.1, 12.2: two file access vulnerabilities) and flash-player (12.1: multiple vulnerabilities).

Slackware has updated pidgin (multiple vulnerabilities).

SUSE has updated firefox (SLE11: multiple vulnerabilities).

Ubuntu has updated jquery (10.04, 11.10: cross-site scripting from 2011).

[$] LCA: The ways of Wayland

Collabora's Daniel Stone presented the final piece of the linux.conf.au 2013 display server triptych, which started with a pair of talks from Keith Packard and David Airlie. Stone explained the concepts behind Wayland and how it relates to X11—because, as he put it, "everything you read on the Internet about it will be wrong." Presumably that includes this article, but subscribers are invited to click below and read the whole thing regardless.

Wednesday's security advisories

Debian has updated rails (protection bypass/code execution).

Fedora has updated openssh (F18: denial of service) and qt (F18: information disclosure).

Mageia has updated coreutils (multiple vulnerabilities), postgresql (information disclosure/denial of service), gnutls (information disclosure), and flash-player-plugin (multiple vulnerabilities).

Mandriva has updated samba (multiple vulnerabilities in SWAT).

openSUSE has updated opera (TLS information leak).

Red Hat has updated flash-plugin (multiple vulnerabilities).

Scientific Linux has updated java-1.6.0-sun (SL5: multiple unspecified vulnerabilities).

SUSE has updated flash-player (code execution).

Ubuntu has updated curl (12.10: code execution).

FSFE: I love Free Software Day

The Free Software Foundation Europe is asking free software users to show their appreciation on February 14, "I love Free Software Day". ""Every day, we use Free Software and often take it for granted. We write bug reports, tell others how they should improve their software, or ask them for new features - and often we are not shy about criticising. So, to let the people in Free Software receive a positive feedback at least once a year, there is the 'I love Free Software day'." says Matthias Kirschner, who initiated the FSFE's#ilovefs campaign."

Pages